DNSSEC and root.key problem

free.sites at gmx.net free.sites at gmx.net
Tue Apr 7 14:29:19 UTC 2020


Hi!
 
My unbound stopped working. I think I could track it down to the file root.key and DNSSEC. Unfortunately I can't figure out how to make it work again. :/
 
1) My system
unbound 1.9.0 with pihole on a Raspberry Pi. My unbound uses hyperlocal root and forward-addr'es for DoT.
 
2) What I did before the error occured
I manually started an 'autoupdatelocalroot' script that checks if the local copy of root.hints is outdated and if so, creates a newer version of https://www.internic.net/domain/named.root and saves it locally. This update script has worked for many times already. This time, however, it seems something went wrong somewhere.
 
3) What is the problem
Pihole now displays every DNS request as 'bogus'. If I turn DNSSEC off in pihole, host name resolution works again. However, DNSSEC was turned on all the time in pihole before and it worked flawlessly for months. So it can't be that pihole setting.
 
4) What I found out
"dig mail.de @9.9.9.9" returns NOERROR and the ad-flag is set. (This command avoids both unbound and pihole).
"dig mail.de @127.0.0.1 -p 5353" returns NOERROR, *but the ad-flag is missing*. (This command uses unbound, but avoids pihole)
"dig mail.de @127.0.0.1 -p 53" returns SERVFAIL and ad-flag missing (using unbound and pihole, latter one with DNSSEC=yes)
"dig mail.de @127.0.0.1 -p 53" returns NOERROR, but missing ad-flag. (using unbound and pihole, latter one with DNSSEC=no)
 
Because of the missing ad-flag in the second example I suspect something messed up the DNSSEC configuration.
 
5) What I tried
- I restored the previous root.hints file but to no avail. Same error.
I wonder if roots.hint and root.key are in some way linked to each other or if each of them be changed independently?
 
- I tried "sudo -u unbound unbound-anchor -v". It returns:
 
/var/lib/unbound/root.key has content
fail: the anchor is NOT ok and could not be fixed
 
- I restored the previous root.key file. Oddly enough, the ad-flag comes back (second command above), but pihole still displays every dns request as bogus. -.-

6) My config files
 
root-auto-trust-anchor-file:
server:
    # The following line will configure unbound to perform cryptographic
    # DNSSEC validation using the root trust anchor.
    auto-trust-anchor-file: "/var/lib/unbound/root.key"

root.key before unbound-anchor (using this file also makes the ad-flag appear):
; autotrust trust anchor file
;;id: . 1
;;last_queried: 1586243231 ;;Tue Apr  7 09:07:11 2020
;;last_success: 1586243231 ;;Tue Apr  7 09:07:11 2020
;;next_probe_time: 1586329189 ;;Wed Apr  8 08:59:49 2020
;;query_failed: 0
;;query_interval: 86400
;;retry_time: 17280
.    86400    IN    DNSKEY    257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1577624636 ;;Sun Dec 29 14:03:56 2019

root.key after I deleted root.key manually and ran unbound-anchor (using this file makes the ad-flag disappear):
. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
. IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
 

I'm lost. What can I do to set up a working and up-to-date root.key and DNSSEC configuration again? I'd also love to be able to set DNSSEC=yes in pihole as it was before for many months.



More information about the Unbound-users mailing list